This project leverages HashiCorp Vault to:
-
Dynamically manage PostgreSQL credentials:
Vault automatically generates and manages time-bound database credentials. -
Generate one-time passwords (OTP) for SSH login:
Vault issues OTPs for secure SSH access. -
Sign public keys for SSH login:
Vault signs SSH public keys, enabling certificate-based authentication for secure SSH logins without the need for distributing public SSH keys across environments.
The project includes Docker configurations for both the PostgreSQL and SSH services, along with Vault integration to securely issue and manage credentials for these services.
Make sure you have the following installed:
- Docker
- Docker Compose
- Vault CLI
├── postgres/
│ ├── Dockerfile # Dockerfile for building the PostgreSQL.
│ └── init-db.sql # Contains initialization scripts for PostgreSQL.
├── ssh-server-otp-auth/
│ ├── Dockerfile # Dockerfile for building SSH server that uses OTP for authentication.
│ ├── config.hcl # config for vault-ssh-helper which is used for connecting with vault server
│ ├── sshd # PAM configuration for integrating Vault-based SSH authentication and session management.
│ ├── sshd_config # Configuration file for the SSH server, enabling OTP authentication
├── ssh-server-signed-cert-auth/
│ ├── Dockerfile # Dockerfile for building SSH server that uses signed keys for authentication
│ └── sshd_config # Configuration file for the SSH server, enabling signed ssh key authentication
├── vault/
│ ├── config/
│ │ └── vault.json # Configuration file for Vault, specifying how Vault should operate.
│ ├── Dockerfile # Dockerfile for building the Hashicorp Vault
│ ├── setup_vault.sh # Initialization script for setting up Vault.
│ └── README.md
└── docker-compose.yml # Orchestrates the multi-container Docker setup to run Postgres , Vault and ssh servers.
git clone https://github.com/dawood9598/vault-secrets-management
cd vault-secrets-management
docker-compose up -d --build
To set up Vault, run the initialization script:
cd vault
sh setup_vault.sh
This script performs the following steps:
- Initialize Vault and generate unseal keys and root token, storing them in init.file.
- Unseal Vault using the generated unseal keys.
- Log into Vault with the root token.
- Enable the SSH secrets engine and configure One-Time Password (OTP) SSH authentication.
- Write SSH policies to allow OTP-based SSH login.
- Create a Vault token for accessing SSH credentials.
- Enable the database secrets engine for Postgres.
- Configure Vault to manage Postgres with a readonly role.
- Configure the SSH secrets engine to sign public SSH key
vault auth enable userpass
vault write auth/userpass/users/vault password=vault policies=admins
To generate a username and password for the Postgres database, run:
vault read database/creds/readonly
To generate a One-Time Password (OTP) for SSH, use:
vault write ssh/creds/otp_key_role ip=<IP of ssh server container>
By signing clients’ SSH keys, Vault facilitates secure and automated SSH access without the need for distributing public SSH keys across environments.
ssh-keygen -t rsa -b 2048 -f vault-test
vault write -field=signed_key ssh-client-signer/sign/ssh-user-cert-signer [email protected] valid_principals=root > signed-cert.pub
3. Fetch the public key from Vault's SSH client signer and store it in SSH server. This public key will be used by the SSH server to verify the authenticity of SSH certificates signed by Vault.
curl -o /etc/ssh/trusted-user-ca-keys.pem http://vault:8200/v1/ssh-client-signer/public_key
ssh -i signed-cert.pub -i vault-test root@localhost -p 3021